This server's certificate chain is incomplete. Grade capped to B

Hello there,
I am using a certificate issued by Let’s Encrypt for our website, The site is hosted at Siteground and protected by Sucuri Firewall services.

We have switched our webiste to https since a few days. While the website works correctly, our RSS feed services are being rejected on some platforms. Further investigation using W3C validator will show that the certificate: “Server returned [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)”.

At this point we have verified the certificate at ssllabs and the output states that “This server’s certificate chain is incomplete. Grade capped to B.”

How can I fix this, assuming I am not an expert?

1 Like

Hi @IdolR

please share your domain name. There are different problems possible -> different solutions. Check your website with https://check-your-website.server-daten.de/ - then you see, if you send too much or too less certificates.

2 Likes

Hello Juergen,
this is the website: www.acornhouse.school

There

is your incomplete chain, should look like

so your server doesn’t send the interemediate certificate.

But I don’t know how your

Server: Sucuri/Cloudproxy

works. What’s the SSL configuration (definitions with cert.pem / chain.pem / fullchain.pem)?

2 Likes

I really don’t know, as I am not an expert.

Questions:

  • Can this depend on DNS records set incorrectly?
  • Sucuri is acting as a proxie that filters traffic through their firewall and forwards all to the ISP. In this scenario is the faulty certificate being used only by Sucuri or is this being used also on the ISP end? I ask so I can narrow down the problem.
  • To address quickly this problem, what should I ask to the ISP and what should I ask to Sucuri?

I really appreciate your help!

1 Like

No.

Yes.

To check your certificate (chain).
Referrence: SSL Server Test: www.acornhouse.school (Powered by Qualys SSL Labs)

Impossible to answer...
Your actual site (IP) is NOT known/visible to the Internet.
[but, even if it were, it should have no negative impact on the Internet users' experience]

3 Likes

Thanks a lot for your help. I will forward all this to them

2 Likes

I don't know how Sucuri works. Terminates Sucuri the SSL or does this your server?

Where is the certificate installed? You have to find that place and change the configuration.

PS: But you can share your real ip address or test your real address with "check your website". Then you see, if your ip address sends the correct chain.

1 Like

Thanks everyone, tech support at Sucuri has fixed the issue, also using your suggestions and input! Thanks again :slight_smile:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.